W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2012

Re: [XHR] Open issue: allow setting User-Agent?

From: Julian Aubourg <j@ubourg.net>
Date: Thu, 11 Oct 2012 17:27:25 +0200
Message-ID: <CANUEoesYY_OP4vFaJdBXoAR6Td-xATL3iyhbh8fvh1JKzd-CeQ@mail.gmail.com>
To: public-webapps@w3.org
> I personally have contacted hundreds of sites for these types of issues
> over the past few years. We've done the education, outreach, evangelism,
> etc. Success rates are very low, the majority are simply ignored.


I'm sorry to hear that. I really am. Still trying to have people stop
browser sniffing client-side. :(


> I'm sorry but that's complete non-sense. The backend is the provider of the
>> data and has all the right when it comes to its distribution. If it's a
>> mistake on the backend's side (they filter out while they didn't intend
>> to)
>> just contact the backend's maintainer and have them fix this server-side
>> problem... well... server-side.
>>
>
> This isn't feasible. There's a whole web out there filled with legacy
> content that relies on finding the string "Mozilla" or "Netscape", for
> example. See also the requirements for navigator.appName,
> navigator.appVersion, document.all, etc. You can't even get close to
> cleaning up the mess of legacy code out there, so you work around it. And
> history repeats itself today with magical strings like "Webkit" and
> "Chrome".
>
> What of new browsers, how do they deal with this legacy content? The same
> way that current ones do, most likely -- by pretending to be something else.
>

The problem is that the same reasoning can be made regarding CORS. We have
backends, today, that do not support it. I'm not convinced they actually
want to prevent Cross-Domain requests that come from the browser. Truth is
it depends on the backend. So why do we require server opt-in when it comes
to CORS? After all, it is just a limitation in the browser itself. Surely
there shouldn't be any issue given these URLs are already fetchable from a
browser provided the page origin is the same. You can even fetch them using
another backend or shell or whatever other means.

Problem is backends expect this limitation to be true. So very few actually
control anything because browsers on a page from another origin are never
supposed to request the backend. There is potential for abuse here.
Solution was to add an opt-in system. For backends that are not maintained,
behaviour is unchanged. Those that want to support CORS have to say so
explicitely.

If we had a mechanism to do the same thing for the fact of modifying the
UserAgent header, I wouldn't even discuss the issue. Target URL authorizes
UserAgent to be changed, browser accepts custom UserAgent, sends the
request and filtering that happened between the URL and the browser would
be bypassed (solving the problem Hallvord gave with devs working on a part
of a site and having to deal with some filtering above their heads). Could
work pretty much exactly like CORS custom headers are handled. Hell, it
could even be made generic and could potentially solve other issues.

What's proposed here is entirely different though: it's an all or nothing
approach. Now I'm just trying to see if there is no potential danger here.


> <aside>
>
>  The burden of proof is on you. *You* ha
>>
>
> Emphasis with asterisks seems unnecessary aggressive. Perhaps
> unintentionally so. :)
> </aside>
>
>
Sorry about that, not my intention at all. I'd love to be convinced and I'd
just love it if Hallvord (or anyone really) could actually pull it off. So
it's positive excitement, not negative one. I hope my answer above will
make my reasonning a bit clearer (just realized it wasn't quite clear
before).
Received on Thursday, 11 October 2012 15:28:02 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:55 GMT